Spanish arrests mark the end of dangerous botnet

Another botnet has been taken down after the arrest of its operators in Spain …

A massive botnet of up to 12.7 million infected PCs has been dismantled after Spanish police, working in conjunction with a Canadian security firm, have arrested the botnet's operators. The Mariposa botnet first emerged in December 2008, and was used to steal credit card and bank details from infected PCs. The malware driving it was spread through instant messaging, USB thumbdrives, and peer-to-peer networking.

Defence Intelligence, the Canadian firm involved in the bust, started investigating the botnet in spring 2009. The company discovered that the botnet had command and control servers based in Spain, and so joined forces with Spanish firm Panda Security. With their input, the authorities knocked the botnet offline around Christmas. Luck was on the investigators' side; the Internet services used by the hackers were willing to cooperate with the investigation, and most critically, one of the botnet's operators then tried to regain control of the botnet directly from his own PC. This mistake allowed the investigators to identify him and track him down.

The arrest of the operators of such a large botnet is unusual. Operators of smaller networks are easier to identity (smaller networks have less traffic to hide in), so arrests are relatively common. Operations such as Microsoft's recent disabling of the Waledac network may take the botnet offline, but the operators typically remain free to try again. The nature of the Mariposa network made catching the perpetrators particularly important; while botnets like Waledac and Conficker are used predominantly for spamming (annoying and illegal, but relatively harmless as these things go), Mariposa's harvesting of financial information made it much more dangerous.

The hackers themselves—unnamed, per Spanish privacy rules—appeared to be quite ordinary, far from the genius hacker stereotype. They were Spanish citizens with no prior criminal convictions, aged 31, 30, and 25. They depended on their connections in the criminal underworld to get them the resources necessary to start and operate the botnet. Though the network had likely made them rich—investigators are still examining bank records to determine just how much money was made—this was not reflected in their lifestyles. If convicted, they face up to six years in prison for hacking. Further arrests related to Mariposa are also expected.